Passive Operating System Fingerprinting with p0f on Linux March 6, 2011

Passive fingerprinting works by quietly examining packets for patterns and not sending data directly to a target host .Due to this passive analysis, the remote system will not be able to detect the packet capture.The process is completely passive and does not generate any suspicious network traffic. Although other well-known and tested tools ( like nmap , ettercap , Siphon) exists , p0f is considered the granddaddy of passive operating system fingerprinting . The O in operating system is replaced with a 0 (zero) character .

There are two methods of detecting the type of Operating System a host is running.

Active OS fingerprinting has been the most widely used method when analyzing a system. This is the method used in tools such as nmap by Fyodor (http://www.insecure.org/nmap). This method includes sending crafted, abnormal packets to the remote host, and analyze the replies being returned from the remote host. Different TCP stacks will give different replies and thus allowing the analyzer tool to recognize a particular OS. If the remote host’s network is being protected by IDS or firewall devices, such attacks will be detected.

Passive OS fingerprinting on the other hand will not contact the remote host, but instead capture traffic coming from a connecting host going to the local network. The packets being captured are the ones the remote host sends when it attempts to establish a connection to a host on the local network.

Active OS fingerprinting is a fast process and a large number of hosts can be scanned in a short time frame. Passive fingerprinting on the other hand is a much slower process, and will work best if used on stored data (from a file) .

p0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box .

pof attempts to match the packets to a database of known characteristics (which is stored in /etc/p0f/p0f.fp) , and is quit good at determining the general flavor of the operating system . P0f is based on the libpcap library , as many other utilities like tcpdump, wireshark , ettercap …. , so there is full compatibility with these utilities . A good practice might be to capture network traffic with tcpdump and save it to a libpcap file , then let p0f analyze it’s contents (with the -s option ) .

To accomplish the job, p0f equips you with four different detection modes:

Incoming connection fingerprinting (SYN mode , default –> no options) . Use this mode whenever you want to know the Os of the remote host , that connect to your box .

As the README states, p0f is actually more suited for things like profiling, espionage, policy enforcement, penetration testing, and bypassing firewalls than it is simply for amusement. The more you know about it and its capabilities, the better chance you have of maintaining your own security.

Installing p0f :

On a RedHat based Linux distribution the yum installer can handle the installation if rpmforge is on the repository list .If you really need to compile from the source code , visit the official home page of p0f .

Options

-i interface

If you have more than one network interface, you can select which interface to use

-s file

If you have a tcpdump file that you created earlier, you can make p0f use it rather than live capture

-w file

You also can use p0f to record network traffic into a tcpdump file

-o file

If you’re using p0f in a script, use this option to dump the output into a text file for later perusal.

-p

By default, p0f looks only at network packets that are addressed to the machine where it is running. To look at all the packets that go by on the network, you need to set the card into promiscuous mode

-O
(cap. ou)

By default, p0f sees machines only when they open new connections. You can try to guess what’s going on with already-opened connections . This option can generate a lot of data, so you probably won’t want to use it for an extended period of time.

-M

More and more often, machines actually are located behind routers and NATs, so they don’t really show up as individual machines. You can try to identify these types of machines

-v

Verbose mode

-t

Add timestamp to output

-f

The fingerprint database is located in a file called “/etc/p0f/p0f.fp ” and is used by defauld , to use another file use this option